From ab70ee9a51750e6c7fc27a30e6345876eefcc2dc Mon Sep 17 00:00:00 2001 From: clerie Date: Sun, 10 Jan 2021 18:47:11 +0100 Subject: [PATCH] Connect gatekeeper to internal network --- hosts/carbon/configuration.nix | 19 +++++ hosts/gatekeeper/configuration.nix | 119 ++++++++++++++++++++++++++++- hosts/nonat/configuration.nix | 21 ++++- 3 files changed, 157 insertions(+), 2 deletions(-) diff --git a/hosts/carbon/configuration.nix b/hosts/carbon/configuration.nix index 496db0f..246f916 100644 --- a/hosts/carbon/configuration.nix +++ b/hosts/carbon/configuration.nix @@ -46,6 +46,17 @@ networking.wireguard.enable = true; networking.wireguard.interfaces = { + wg-gatekeeper = { + ips = [ "fe80::127:2/64" "169.254.127.2/24" ]; + peers = [ { + allowedIPs = [ "0.0.0.0/0" "::/0" ]; + endpoint = "gatekeeper.net.clerie.de:50127"; + publicKey = "y+Bk5eIHgmnq9xuBDD+fk/OIkKRZU6AE4ISx4RdDDyg="; + persistentKeepalive = 25; + } ]; + allowedIPsAsRoutes = false; + privateKeyFile = "/var/src/secrets/wireguard/wg-gatekeeper"; + }; wg-porter = { ips = [ "fe80::138:2/64" "169.254.138.2/24" ]; peers = [ { @@ -131,6 +142,10 @@ export all; }; area 0 { + interface "wg-gatekeeper" { + cost 80; + type pointopoint; + }; interface "wg-porter" { cost 80; type pointopoint; @@ -145,6 +160,10 @@ export all; }; area 0 { + interface "wg-gatekeeper" { + cost 80; + type pointopoint; + }; interface "wg-porter" { cost 80; type pointopoint; diff --git a/hosts/gatekeeper/configuration.nix b/hosts/gatekeeper/configuration.nix index 8b1a8ff..252bd5d 100644 --- a/hosts/gatekeeper/configuration.nix +++ b/hosts/gatekeeper/configuration.nix @@ -40,6 +40,27 @@ networking.wireguard.enable = true; networking.wireguard.interfaces = { + wg-carbon = { + ips = [ "fe80::127:1/64" "169.254.127.1/24" ]; + peers = [ { + allowedIPs = [ "0.0.0.0/0" "::/0" ]; + publicKey = "5EVyQC0y704asO4SwsGbAoFGKusuO4a6IJ2bS/5bcTI="; + } ]; + listenPort = 50127; + allowedIPsAsRoutes = false; + privateKeyFile = "/var/src/secrets/wireguard/wg-carbon"; + }; + wg-nonat = { + ips = [ "fe80::128:1/64" "169.254.128.1/24" ]; + peers = [ { + allowedIPs = [ "0.0.0.0/0" "::/0" ]; + endpoint = "nonat.net.clerie.de:50128"; + publicKey = "0GGDyPj/0uMaba9pmOyj+Sx+3jMivpRdpTJhadl6bS8="; + } ]; + listenPort = 50128; + allowedIPsAsRoutes = false; + privateKeyFile = "/var/src/secrets/wireguard/wg-nonat"; + }; wg-vpn = { ips = [ "2a01:4f8:c0c:15f1::8001/113" "10.20.30.1/24" ]; peers = [ @@ -79,7 +100,7 @@ }; }; - networking.firewall.allowedUDPPorts = [ 51820 ]; + networking.firewall.allowedUDPPorts = [ 50127 50128 51820 ]; clerie.nginx-port-forward = { enable = true; @@ -101,5 +122,101 @@ }; }; + petabyte.policyrouting = { + enable = true; + rules6 = [ + { rule = "from all to fd00:152:152::/48 lookup 1000"; prio = 10000; } # OSPF + { rule = "from fd00:152:152::/48 lookup 2000"; prio = 10000; } # BGP + { rule = "from all to fd00:152:152::/48 unreachable"; prio = 20000; } + ]; + rules4 = [ + { rule = "from all to 10.152.0.0/16 lookup 1000"; prio = 10000; } # OSPF + { rule = "from 10.152.0.0/16 lookup 2000"; prio = 10000; } # BGP + { rule = "from all to 10.152.0.0/16 unreachable"; prio = 20000; } + ]; + }; + + services.bird2.enable = true; + services.bird2.config = '' + router id ${ (lib.head config.networking.interfaces.lo.ipv4.addresses).address }; + + ipv6 table ospf6; + ipv4 table ospf4; + + protocol direct { + interface "lo"; + ipv6 { + table ospf6; + }; + ipv4 { + table ospf4; + }; + } + + protocol kernel kernel_ospf6 { + kernel table 1000; + ipv6 { + table ospf6; + export filter { + krt_prefsrc=${ (lib.head config.networking.interfaces.lo.ipv6.addresses).address }; + accept; + }; + import none; + }; + } + + protocol kernel kernel_ospf4 { + kernel table 1000; + ipv4 { + table ospf4; + export filter { + krt_prefsrc=${ (lib.head config.networking.interfaces.lo.ipv4.addresses).address }; + accept; + }; + import none; + }; + } + + protocol ospf v3 ospf_6 { + ipv6 { + table ospf6; + import all; + export all; + }; + area 0 { + interface "wg-carbon" { + cost 80; + type pointopoint; + }; + interface "wg-nonat" { + cost 80; + type pointopoint; + }; + }; + } + + protocol ospf v3 ospf_4 { + ipv4 { + table ospf4; + import all; + export all; + }; + area 0 { + interface "wg-carbon" { + cost 80; + type pointopoint; + }; + interface "wg-nonat" { + cost 80; + type pointopoint; + }; + }; + } + + protocol device { + scan time 10; + } + ''; + system.stateVersion = "21.03"; } diff --git a/hosts/nonat/configuration.nix b/hosts/nonat/configuration.nix index 9980438..9689255 100644 --- a/hosts/nonat/configuration.nix +++ b/hosts/nonat/configuration.nix @@ -52,6 +52,17 @@ networking.wireguard.enable = true; networking.wireguard.interfaces = { + wg-gatekeeper = { + ips = [ "fe80::128:2/64" "169.254.128.2/24" ]; + peers = [ { + allowedIPs = [ "0.0.0.0/0" "::/0" ]; + endpoint = "gatekeeper.net.clerie.de:50128"; + publicKey = "7QHjiBbWhpOw4OX3Ye58v0YEOqhdfGJSyaHCdiCa20Q="; + } ]; + listenPort = 50128; + allowedIPsAsRoutes = false; + privateKeyFile = "/var/src/secrets/wireguard/wg-gatekeeper"; + }; wg-porter = { ips = [ "fe80::1337:2/64" "169.254.137.2/24" ]; peers = [ { @@ -65,7 +76,7 @@ }; }; - networking.firewall.allowedUDPPorts = [ 51337 ]; + networking.firewall.allowedUDPPorts = [ 50128 51337 ]; petabyte.policyrouting = { enable = true; @@ -139,6 +150,10 @@ export all; }; area 0 { + interface "wg-gatekeeper" { + cost 80; + type pointopoint; + }; interface "wg-porter" { cost 80; type pointopoint; @@ -153,6 +168,10 @@ export all; }; area 0 { + interface "wg-gatekeeper" { + cost 80; + type pointopoint; + }; interface "wg-porter" { cost 80; type pointopoint;